102Firewall - amagerard/Docker GitHub Wiki

Docker/Home

RedHat/Docker.

1- Docker	2- Firewall	3- Portainer	4- Drupal	5- Joomla
6-Wordpress	7-Xwiki	8- Mediawiki
Casaos	Zimaos

2. Firewall.

2.1 Docker firewall.

Docker firewall rules are before the rules of the ufw firewall.
My solution is not to activate the rules of the Docker firewal.

Docker should not modify iptables.
touch /etc/docker/daemon.json
vi /etc/docker/daemon.json

{  
"iptables": false  
}

2.2 Remove iptables rules.

Remove iptables rules and open firewall.

iptables -F  
iptables -X  
iptables -Z  
iptables -t nat -F  
iptables -t nat -X  
iptables -t mangle -F  
iptables -t mangle -X  
iptables -t raw -F  
iptables -t raw -X  
iptables -P INPUT ACCEPT  
iptables -P FORWARD ACCEPT  
iptables -P OUTPUT ACCEPT

2.3 UFW.

Change ufw's default rule for the Forward.
Change DROP by ACCEPT.
vi /etc/default/ufw

DEFAULT_FORWARD_POLICY="ACCEPT"

Restart the docker and ufw services.
systemctl restart docker
ufw enable

Check if net.ipv4.ip_forward = 1.
sysctl net.ipv4.ip_forward

Add these rules to the firewall.

ufw allow in from 172.16.0.0/12 to 172.16.0.12/12  
ufw allow out from 172.16.0.0/12 to 172.16.0.12/12

2.4 Nat rules.

I need to activate a single iptable rules by network for postrousting.
I don't want to use ufw's before.rules.
I can write the rule and apply it, but this rule disappears at each reboot of the server.
My solution is to create a file that will start each reboot of the server.
mkdir /opt/docker
touch /opt/docker/postrouting_sh
chmod 700 /opt/docker/postrouting_sh

Edit /etc/crontab and add in the end.
vi /etc/crontab

#  POSTROUTING  net_xx subnet MASQUERADE  
@reboot root /opt/docker/postrouting_sh

I would add postrouting rules later.